A Story of Three Kernel Vulnerabilities

A security-oriented firm called Trustwave recently sent out a preview of an upcoming report [PDF] that features some focused criticism of how the Linux community handles security vulnerabilities. Indeed, it says: "Software developers vary greatly in their ability to respond and patch zero-day vulnerabilities. In this study, the Linux platform had the worst response time, with almost three years on average from initial vulnerability to patch." Whether or not one is happy with how security updates work with Linux, three years sounds like a rather longer response time than most of us normally expect. Your editor decided to examine the situation by focusing on two vulnerabilities that are said to be included in the Trustwave report and one that is not.